Notepad++, a widely used open-source text editor, was recently affected by a serious cybersecurity incident. Investigators confirmed that the attack targeted the hosting infrastructure used to distribute software updates. The breach has been linked to a China-associated hacking group known as Lotus Blossom. The software itself was not exploited directly.
The attack took place over several months, beginning in June 2025 and continuing until early December 2025. During this period, attackers gained access to a server involved in Notepad++ update delivery. This allowed them to interfere with how updates were served to certain users. The incident is classified as a supply-chain attack.
Instead of receiving legitimate updates, a limited number of users were redirected to malicious files. These files were designed to install malware that could quietly provide attackers with system access. The activity was highly targeted and did not impact the entire user base. This indicates a focused espionage objective rather than a mass attack.
Cybersecurity researchers from Rapid7 investigated the malicious infrastructure and behavior. Their analysis linked the activity with moderate confidence to the Lotus Blossom hacking group. This group has a long history of cyber-espionage operations. It is known for targeting government bodies, telecom firms, media organizations, and critical infrastructure.
The attackers lost direct control of the compromised hosting server in September 2025. However, they had already stolen valid credentials that allowed them to continue redirecting traffic. Using these credentials, they extended the attack until December 2, 2025. This prolonged the impact even after initial access was cut off.
Notepad++ maintainer Don Ho publicly confirmed the breach and explained how it occurred. He clarified that the Notepad++ source code and official releases were not modified. The compromise was limited to external hosting systems. Only specific users were affected based on targeted redirection.
Following the discovery, the Notepad++ project took immediate corrective action. The website and update infrastructure were migrated to a new hosting provider. Additional security checks were introduced to verify update integrity. These measures aim to prevent similar attacks in the future.
Security experts say the incident highlights the growing threat of supply-chain attacks. Even trusted and well-maintained software can be abused through compromised infrastructure. The case serves as a reminder that update delivery systems must be protected as carefully as the software itself.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
